Duff on Hospitality Law

On February 5, 2014 the U.S. Environmental Protection Agency launched the “WaterSense H2Otel” challenge, a program encouraging hotels to implement best management practices for reducing their water usage. As part of “WaterSense H2Otel,” the EPA is providing technical assistance using webinars and other forms of outreach including case studies on the “lessons learned” from other hotels’ efforts to reduce water usage. The challenge is designed for any individual hotel with five or more rooms, as well as hotel management groups and chains. EPA explains that WaterSense H2Otel is part of the agency’s broader (multi-sector) “WaterSense” program to promote water-efficient products, services and practices in an effort to address ever increasing demand for water in the U.S.

In coming weeks EPA will present a series of educational webinars on the WaterSense H2Otel challenge. The webinar dates and topics are as follows (each webinar is scheduled from 2:00 to 3:00 p.m. Eastern time):

March 6 – Assess, Track, Realize Paybacks

March 12 – Take the Plunge: The WaterSense H2Otel Challenge (this session will repeat the webinar EPA presented on February 27)

Our first of many anticipated privacy related posts comes from Colleen Hannigan of our Seattle office. Colleen is one of the newest members of our Hospitality, Travel and Tourism Practice and brings with her a wealth of privacy experience from Harvard Law School and her time spent at Berkman Center for Internet and Society. Welcome, Colleen, we look forward to many more posts in the future. - Greg

In September, 2013, Governor Jerry Brown of California signed into law Assembly Bill No. 370, which amends the California Online Privacy Protection Act (CalOPPA) to require that website and mobile app operators disclose whether they honor web browser “Do Not Track” signals. AB 370 took effect on January 1, 2014.

CalOPPA

CalOPPA has, since 2003, required operators of commercial websites or online services that collect personally identifiable information (PII) from California consumers (including, most notably, guests and customers from California) through the Internet to post, conspicuously, their privacy policies. PII is “identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.” PII includes, but is not limited to, first and last names, home or other physical addresses, email addresses, telephone numbers, social security numbers, and any other identifier that permits the online or physical contacting of a specific individual. PII also includes “[i]nformation concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.”

CalOPPA requires privacy policies to make certain specific disclosures regarding how the website or app operator collects, uses, and discloses users’ PII. For example, operators must disclose the type(s) of data they collect and the categories of third parties with whom that information is shared, if any. In addition, privacy policies must provide an effective date, information regarding how a consumer can access and/or request changes to his or her PII, and a description of how the operator will notify consumers of policy changes.

Operators are in violation of CalOPPA if they knowingly and willfully, or negligently and materially fail to comply with either the law or the operator’s own privacy policy. Violators can incur a civil fine of up to $2,500 per violation. Importantly, the California Attorney General maintains that each non-compliant mobile app download constitutes a violation, which may trigger the fine.

Do Not Track and AB 370

Do Not Track (DNT) mechanisms typically are small pieces of code, similar to cookies, that signal to websites and mobile applications that the user does not want his or her website or app activities to be tracked. Most Internet browsers, including Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Apple Safari, allow users to choose whether to have the browser send out DNT signals. If a website that honors DNT signals receives such a signal, the browser blocks the website from collecting PII from that user.

AB 370 amends CalOPPA to require covered operators to update their privacy policies to include new disclosures. Specifically, the amended Act now requires that operators disclose:

How they respond to DNT signals or other mechanisms that allow consumers to choose whether and how PII about their online activities is collected over time, both by the operator and across third-party websites or online services; and

Whether third parties may collect such PII over time and across different websites when the consumer uses the operator’s website or service. However, the operator need not disclose the identities of such third parties.

AB 370 does not require website and app operators to obey DNT signals—it merely requires that operators disclose whether they obey or do not obey such signals. Operators may satisfy this requirement by either, if they do not respond to DNT signals, stating as much in their privacy policies, or, if they do respond to DNT signals, including in their policies a description of the program or protocol they use in responding or a clear and conspicuous hyperlink to an online location containing such a description.

Recommendations

Hoteliers and restaurateurs that operate websites, mobile applications, or other online services that collect personal information from California residents should familiarize themselves with both CalOPPA and AB 370. In addition, operators should review their websites and apps to determine how they respond to DNT signals and the tracking methods they use, as well as whether third parties (e.g. vendors or suppliers) conduct tracking activities on or using their websites or apps. Hoteliers and restaurateurs should then revise or update their privacy policies as needed.

Hoteliers and restaurateurs should be aware that other state laws and/or federal laws such as the Healthcare Information Portability and Accountability Act (HIPPA) or the Children’s Online Privacy Protection Act (COPPA) may also apply, depending on what information the Hotelier or restaurateur collects and from whom.

Please contact me or Greg if you have further questions regarding CalOPPA or any other privacy matter.

Today's blog is a litigation update on the devastating North Carolina hotel carbon monoxide leak. Please make sure that your business and hotel guests are protected. Thank you to Roger Hillman, GSB Hospitality Team member and Litigation Group Chair, for the post. - Greg

The recent deaths of three hotel guests (a husband and wife from Longview, WA, and an eleven year old boy) in North Carolina from lethal doses of carbon monoxide have sparked increased awareness of the risk of this exposure to hotel guests. This incident has also resulted in civil liability exposure, legislation, and even criminal charges. Over the past three years, eight people have died, and over 170 have been made ill from carbon monoxide poisoning hotels in the U.S. In addition, detection of carbon monoxide leaks has resulted in numerous evacuations of hotels, effecting thousands of guests.

Carbon monoxide is a colorless, odorless and tasteless toxic gas emanating from fuel burning devices such as furnaces, boilers, air conditioning units, laundry dryers, and water and swimming pool heaters. Carbon monoxide detectors, which retail for between $20 and $30 dollars, can alert hotel guests and operators of the presence of this gas before it reaches dangerous levels. The new North Carolina statute requires such detectors in facilities that contain equipment that has a danger of carbon monoxide leakage, as well as in hotel rooms which adjoin, or are above or below such facilities. Washington has a similar statute, which, while requiring carbon monoxide detectors in hotel/motel rooms, exempts rooms that do not contain or are not adjacent to units which contain fuel-burning appliances or fireplaces.

The families of the deceased in the North Carolina incidents have instituted litigation against the involved hotel. In addition, the general manager of the hotel has been indicted for three counts of involuntary manslaughter. The basis for the criminal charges is the unlicensed, unpermitted and, therefore uninspected, replacement of the pool heating system with used equipment which it was determined emitted dangerous levels of carbon monoxide. The potential civil liability stems from the same facts, as well as that the first incident resulted in no corrective action which would have prevented the death of the child in the second incident.

The publicity surrounding the North Carolina incident and the ensuing legal steps has heightened the awareness of this risk. Just as many of your guests now arrive with black lights to scan for bed bug infestation, you can expect inquiries as to the presence of carbon monoxide detectors in your accommodations. Even though not yet required in all rooms, in all locations, the installation of carbon monoxide detectors is a small price to pay for your and your guests’ peace of mind.

Search This Blog

Subscribe

Greg Duff, EditorGreg Duff founded and chairs GSB’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.